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DETAILED ACTION 

Remarks 

1. Content leaving a local network can be captured. Objects captured over a 
network by a capture system can be indexed to provide enhanced search and content 
analysis capabilities. In one embodiment the objects can be indexed using a data 
structure having a source address field to indicate an origination address of the object, a 
destination address field to indicate a destination address of the object, a source port 
field to indicate an origination port of the object, a destination port field to indicate a 
destination port of the object, a content field to indicate a content type from a plurality of 
content types identifying a type of content contained in the object, and a time field to 
indicate when the object was captured. The data structure may also store a 
cryptographic signature of the object to ensure the object is not altered after capture. 
However, this inventive concept has been repeatedly done by the following prior arts. 

2. (U.S. 7,185,073 B1) by Gai et al. ("Gai") 

3. "Cryptographic Hash Functions" by Bart Preneel ("Preneel"). 

Continued Examination Under 37 CFR 1.114 

4. A request for continued examination under 37 CFR 1.114, including the fee set 
forth in 37 CFR 1 .17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. 
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5. Applicant's submission filed on 07/06/2009 has been entered. Claims 1-17, 26-27 
are pending in this Application. 

Response to Arguments 

6. Applicant's arguments filed on 07/06/2009 have been fully considered but they 
are not persuasive for the following reasons: 

Applicant argues that Gai does not disclose "items being captured". However, 
Gai discloses (on column 8 lines 31-52) software entities executing on the various end 
stations and servers typically communicate with each other by exchanging discrete 
packets or frames of data according to predefined protocols, such as the Transmission 
Control Protocol/Internet Protocol (TCP/IP), the Internet Packet Exchange (IPX) 
protocol, the AppleTalk protocol, the DECNet protocol or NetBIOS Extended User 
Interface (NetBEUI). In this context, a protocol consists of a set of rules defining how 
the entities interact with each other. Data transmission over the network consists of 
generating data in a sending process executing on a first end station, passing that 
data down through the layers of a protocol stack where the data are sequentially 
formatted for delivery over the links as bits. Those frame bits are then received 
at the destination station where they are re-assembled and passed up the 
protocol stack to a receiving process. Each layer of the protocol stack typically 
adds information (in the form of a header) to the data generated by the upper layer as 
the data descends the stack. At the destination station, these headers are stripped off 
one-by-one as the frame propagates up the layers of the stack until it arrives at the 
receiving process. 
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Examiner respectfully disagrees with all other allegations as argued as will be 
discussed in detail below. Examiner, in her previous office action gave detail 
explanation of claimed limitation and pointed out exact locations in the cited prior art. 

Examiner is entitled to give claim limitations their broadest reasonable 
interpretation in light of the specification. See MPEP 21 1 1[R-1] 

Interpretation of Claims-Broadest Reasonable Interpretation 

During patent examination, the pending claims must be 'given the 
broadest reasonable interpretation consistent with the specification'. 

Applicant always has the opportunity to amend the claims during prosecussion 
and broad interpretation by the examiner reduces the possibility that the claim, once 
issued, will be interpreted more broadly than is justified. In re Prater, 162 USPW 
541,550-51 (CCPA 1969). 

7. Claim Rejections - 35 USC §103 

8. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as 
set forth in section 1 02 of this title, if the differences between the subject matter sought to be 
patented and the prior art are such that the subject matter as a whole would have been obvious 
at the time the invention was made to a person having ordinary skill in the art to which said 
subject matter pertains. Patentability shall not be negatived by the manner in which the invention 
was made. 

Claims 10-17, 27 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over U.S. 7,185,073 B1 issued to Gai et al. ("Gai") and in view of "Cryptographic Hash 
Functions" issued to Bart Preneel ("Preneel"). 
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As per claim 1 , Gai explicitly teach "a computer readable medium having stored 
thereon data representing instructions that, when executed by a processor, cause the 
processor to perform operations comprising": 

generating a tag describing an object captured during transmission from an origination 
address to a destination address, wherein the tag includes, (column 8 lines 31-52) 
"a source address field to indicate an origination address of the object," (column 1 lines 
17-66, column 2 lines 1-66, column 3 lines 1-10, column 3 lines 12-34, column 3 lines 
51-66, column 4 lines 1-16, column 8 lines 31-66, column 9 lines 1-4, column 15 lines 
11-66, column 16 lines 1-5), 

"a destination address field to indicate a destination address of the object," (column 1 
lines 17-66, column 2 lines 1-66, column 3 lines 1-10, column 3 lines 12-34, column 3 
lines 51-66, column 4 lines 1-16, column 8 lines 31-66, column 9 lines 1-4, column 15 
lines 11-66, column 16 lines 1-5), 

"a source port field to indicate an origination port of the object," (column 1 lines 17-66, 
column 2 lines 1-66, column 3 lines 1-10, column 3 lines 12-34, column 3 lines 51-66, 
column 4 lines 1-16, column 8 lines 31-66, column 9 lines 1-4, column 15 lines 11-66, 
column 16 lines 1-5), 

"a destination port field to indicate a destination port of the object," (column 1 lines 17- 
66, column 2 lines 1-66, column 3 lines 1-10, column 3 lines 51-66, column 4 lines 1-16, 
column 8 lines 31-66, column 9 lines 1-4, column 15 lines 11-66, column 16 lines 1-5), 
"a content field to indicate a content type from a plurality of content types identifying a 
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type of content contained in the object," (column 1 1 lines 48-66, Fig. 7B, Fig. 6), and 
"a time field to indicate when the object was captured," (column 14 lines 30-46); and 
"storing the tag in a database, wherein the tag indexes a captured object in storage, the 
tag being stored to allow subsequent searching for the tag based on one or more of the 
fields, (Figures 7A, 7B). 

Gai does not explicitly teach "wherein a tag signature is generated based on the 
tag, and wherein the object and the tag signature are evaluated to verify if they have 
been modified since original storage". However, Preneel teaches hash function of the 
object and hash function of the tag to generate tag signature and verify if they have 
been modified (pages 2-5 sections 2-2.3). Thus, it would have been obvious to one of 
ordinary skill in the art at the time of the invention was made to provide the data 
structure of Gai with the teaching of Preneel by using the hash function to solve the 
security problems in telecommunication and computer networks. 

As per claim 2, Gai further shows "the plurality of content types," comprises: 
"JPEG, GIF, BMP, TIFF, PNG, Skintone, PDF, MSWord, Excel, PowerPoint, MSOffice, 
HTML, WebMail, SMTP, Telnet, Rlogin, FTP, Chat, GZIP, ZIP, TAR, C++ Source, C 
Source, FORTRAN Source, Verilog Source, C Shell, K Shell, Bash Shell, Plaintext, 
Crypto, LIF, Binary Unknown, ASCII Unknown, and Unknown," (column 11 lines 48-66, 
Fig. 7B, Fig. 6). 

As per claim 3, Gai further shows "generating a device identity field to indicate a 
device that captured the object," (column 12 lines 46-66, column 13 lines 1-6). 
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As per claim 4, Gai further shows "generating a protocol field to indicate the 
protocol that carried the object," (column 12 lines 46-66, column 13 lines 1-6, Fig. 7B). 

As per claim 5, Gai further shows "an instance field to indicate a 
number of the object in a connection," (column 14 lines 30-62). 

As per claim 6, Gai further shows "generating an encoding field to indicate a how 
the object was encoded," (column 19 lines 1-14, column 19 lines 26-37). 

As per claim 7, Gai further shows "generating a size field to indicate the size of 
the object," (column 8 lines 40-52). 

As per claim 8, Gai further shows "generating an owner field to indicate an 
entity that requested capture of the object," (column 12 lines 10-23, column 18 lines 37- 
66). 

As per claim 9, Gai further shows "generating a capture rule field to indicate a 
rule that triggered capture of the object," (column 19 lines 1-37). 

As per claim 10, Gai does not explicitly teach "generating a signature field to 
store a signature of the object". However, Preneel teaches a similar data structure of 
hash function (pages 2-5 sections 2-2.3). Thus, it would have been obvious to one of 
ordinary skill in the art at the time of the invention was made to provide the data 
structure of Gai with the teaching of Preneel by using the hash function to solve the 
security problems in telecommunication and computer networks. 

As per claim 1 1 , Gai does not explicitly teach "the signature comprises a digital 
cryptographic signature," (pages 2-5 sections 2-2.3). However, Preneel teaches a hash 
function to generate signature (pages 2-5 sections 2-2.3). Thus, it would have been 
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obvious to one of ordinary skill in the art at the time of the invention was made to 
provide the data structure of Gai with the teaching of Preneel by using the hash function 
to solve the security problems in telecommunication and computer networks. 

As per claim 12, Gai does not explicitly teach "generating a tag signature field to 
store a signature of the data structure". However, Preneel teaches a similar data 
structure of hash function (pages 2-5 sections 2-2.3). Thus, it would have been obvious 
to one of ordinary skill in the art at the time of the invention was made to provide the 
data structure of Gai with the teaching of Preneel by using the hash function to solve the 
security problems in telecommunication and computer networks. 

As per claim 13, Gai does not explicitly teach "the tag signature comprises a 
digital cryptographic signature," (pages 2-5 sections 2-2.3). However, Preneel teaches a 
hash function to generate signature (pages 2-5 sections 2-2.3). Thus, it would have 
been obvious to one of ordinary skill in the art at the time of the invention was made to 
provide the data structure of Gai with the teaching of Preneel by using the hash function 
to solve the security problems in telecommunication and computer networks. 

As per claim 14, Gai does not explicitly teach: "a computer readable medium 
having stored thereon data representing instructions that, when executed by a 
processor, cause the processor to perform operations comprising": 
storing data associated with capture of an object by a capture system to create a tag 
that indexes the captured object in storage, the data comprising: 
"an Ethernet controller MAC address of the capture system that captured the object," 
(column 1 lines 17-66, column 2 lines 1-66, column 3 lines 1-10, column 8 lines 53-66, 
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column 9 lines 1-4, column 8 lines 31-66, column 9 lines 1-4); 

"a source Ethernet IP address of the object," (column 1 lines 17-66, column 2 lines 1-66, 
column 3 lines 1-10, column 3 lines 12-34, column 3 lines 51-66, column 4 lines 1-16, 
column 8 lines 31-66, column 9 lines 1-4, column 15 lines 11-66, column 16 lines 1-5); 
"a destination Ethernet IP address of the object," (column 1 lines 17-66, column 2 lines 
1-66, column 3 lines 1-10, column 3 lines 12-34, column 3 lines 51-66, column 4 lines 1- 
16, column 8 lines 31-66, column 9 lines 1-4, column 15 lines 11-66, column 16 lines 1- 
5); 

"a source TCP/IP port number of the object," (column 1 lines 17-66, column 2 lines 1- 
66, column 3 lines 1-10, column 3 lines 12-34, column 3 lines 51-66, column 4 lines 1- 
16, column 8 lines 31-66, column 9 lines 1-4, column 15 lines 1 1-66, column 16 lines 1- 

5); 

"a destination TCP/IP port number of the object," (column 1 lines 17-66, column 2 lines 

1-66, column 3 lines 1-10, column 3 lines 51-66, column 4 lines 1-16, column 8 lines 31- 

66, column 9 lines 1-4, column 15 lines 11-66, column 16 lines 1-5); 

"an IP protocol that carried the object when captured by the capture 

system," (column 1 lines 17-66, column 2 lines 1-66, column 3 lines 1-10, column 3 

lines 12-34, column 3 lines 51-66, column 4 lines 1-16, column 8 lines 31-66, column 9 

lines 1-4, column 15 lines 11-66, column 16 lines 1-5); 

"a canonical count of a number of the object within a TCP/IP connection," (column 2 
lines 15-27); 

"a content type of the object," (column 11 lines 48-66, Fig. 7B, Fig. 6); 
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"an encoding that was used on the object," (column 19 lines 1-14, column 19 lines 26- 

37); 

"a size of the object," (column 8 lines 40-52); 

"a timestamp indicating when the capture system captured the object," (column 14 lines 
30-46); 

"a user who requested capture of the object," (column 12 lines 10-23, column 18 lines 
37-66); 

"a capture rule that directed capture of the object," (column 19 lines 1-37); 
"a hash signature of the object," (pages 2-5 sections 2-2.3); and 
a hash signature of the tag, (pages 2-5 sections 2-2.3), 

the tag being stored to allow subsequent searching for the tag based on one or more of 
the fields, (Figures 7A, 7B), 

wherein the signatures are evaluated to verify if they have been modified since original 
storage," (pages 2-5 sections 2-2.3). 

However, Preneel teaches hash function of the object and hash function of the 
tag to generate tag signature and verify if they have been modified (pages 2-5 sections 
2-2.3). Thus, it would have been obvious to one of ordinary skill in the art at the time of 
the invention was made to provide the data structure of Gai with the teaching of Preneel 
by using the hash function to solve the security problems in telecommunication and 
computer networks. 

As per claim 15, Preneel and Gai teach the data structure of claim 14 discussed 
above. Preneel also teaches: "the hash signature of the object comprises a digital 
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cryptographic signature of the object," (pages 2-5 sections 2-2.3). However, Preneel 
teaches a hash function to generate signature (pages 2-5 sections 2-2.3). Thus, it 
would have been obvious to one of ordinary skill in the art at the time of the invention 
was made to provide the data structure of Gai with the teaching of Preneel by using the 
hash function to solve the security problems in telecommunication and computer 
networks. 

As per claim 16, Preneel and Gai teach the data structure of claim 14 discussed 
above. Preneel also teaches: "the hash signature of the tag comprises a digital 
cryptographic signature of the tag," (pages 2-5 sections 2-2.3). However, Preneel 
teaches a hash function to generate signature (pages 2-5 sections 2-2.3). Thus, it 
would have been obvious to one of ordinary skill in the art at the time of the invention 
was made to provide the data structure of Gai with the teaching of Preneel by using the 
hash function to solve the security problems in telecommunication and computer 
networks. 

As per claim 17, Gai explicitly teach "the content type of the object is one of 
JPEG, GIF, BMP, TIFF, PNG, Skintone, PDF, MSWord, Excel, PowerPoint, MSOffice, 
HTML, WebMail, SMTP, Telnet, Rlogin, FTP, Chat, GZIP, ZIP, TAR, C++ Source, C 
Source, FORTRAN Source, Verilog Source, C Shell, K Shell, Bash Shell, Plaintext, 
Crypto, LIF, Binary Unknown, ASCII Unknown, and Unknown," (column 11 lines 48-66, 
Fig. 7B, Fig. 6). 

As per claim 26, Gai explicitly teach "a method to index a captured object, 
comprising": 



Application/Control Number: 10/814,093 Page 12 

Art Unit: 2163 

generating for storage of objects captured during transmission from an origination 
address to a destination address: 

"a source address field to indicate an origination address of the object," (column 1 lines 
17-66, column 2 lines 1-66, column 3 lines 1-10, column 3 lines 12-34, column 3 lines 
51-66, column 4 lines 1-16, column 8 lines 31-66, column 9 lines 1-4, column 15 lines 
11-66, column 16 lines 1-5); 

"a destination address field to indicate a destination address of the object," (column 1 
lines 17-66, column 2 lines 1-66, column 3 lines 1-10, column 3 lines 12-34, column 3 
lines 51-66, column 4 lines 1-16, column 8 lines 31-66, column 9 lines 1-4, column 15 
lines 11-66, column 16 lines 1-5); 

"a source port field to indicate an origination port of the object; a destination port field to 
indicate a destination port of the object," (column 1 lines 17-66, column 2 lines 1-66, 
column 3 lines 1-10, column 3 lines 12-34, column 3 lines 51-66, column 4 lines 1-16, 
column 8 lines 31-66, column 9 lines 1-4, column 15 lines 11-66, column 16 lines 1-5); 
"a content field to indicate a content type from a plurality of content types identifying a 
type of content contained in the object," (column 8 lines 31-52, column 1 1 lines 48-66, 
Fig. 7B, Fig. 6); and 

"a time field to indicate when the object was captured," (column 14 lines 30-46); and 
"storing data in the fields to create a tag, the tag indexing a captured object in storage, 
the tag being stored to allow subsequent searching for the tag based on one or more of 
the fields, (Figures 7A, 7B), 
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wherein a tag signature is generated based on the tag, and wherein the object and the 
tag signature are evaluated to verify if they have been modified since original storage," 
(pages 2-5 sections 2-2.3). 

However, Preneel teaches hash function of the object and hash function of the 
tag to generate tag signature and verify if they have been modified (pages 2-5 sections 
2-2.3). Thus, it would have been obvious to one of ordinary skill in the art at the time of 
the invention was made to provide the data structure of Gai with the teaching of Preneel 
by using the hash function to solve the security problems in telecommunication and 
computer networks. 

.As per claim 27, Gai explicitly teach "a method to index a captured object, 
comprising": 

storing data associated with capture of an object by a capture system to create a tag 
indexing the captured object in storage, the data comprising: 

"an Ethernet controller MAC address of the capture system that captured the object," 
(column 1 lines 17-66, column 2 lines 1-66, column 3 lines 1-10, column 8 lines 53-66, 
column 9 lines 1-4, column 8 lines 31-66, column 9 lines 1-4); 

"a source Ethernet IP address of the object," (column 1 lines 17-66, column 2 lines 1-66, 
column 3 lines 1-10, column 3 lines 12-34, column 3 lines 51-66, column 4 lines 1-16, 
column 8 lines 31-66, column 9 lines 1-4, column 15 lines 11-66, column 16 lines 1-5); 
"a destination Ethernet IP address of the object," (column 1 lines 17-66, column 2 lines 
1-66, column 3 lines 1-10, column 3 lines 12-34, column 3 lines 51-66, column 4 lines 1- 
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16, column 8 lines 31-66, column 9 lines 1-4, column 15 lines 11-66, column 16 lines 1- 

5); 

"a source TCP/IP port number of the object," (column 1 lines 17-66, column 2 lines 1- 
66, column 3 lines 1-10, column 3 lines 12-34, column 3 lines 51-66, column 4 lines 1- 
16, column 8 lines 31-66, column 9 lines 1-4, column 15 lines 1 1-66, column 16 lines 1- 

5); 

"a destination TCP/IP port number of the object," (column 1 lines 17-66, column 2 lines 

1-66, column 3 lines 1-10, column 3 lines 51-66, column 4 lines 1-16, column 8 lines 31- 

66, column 9 lines 1-4, column 15 lines 11-66, column 16 lines 1-5); 

"an IP protocol that carried the object when captured by the capture 

system," (column 1 lines 17-66, column 2 lines 1-66, column 3 lines 1-10, column 3 

lines 12-34, column 3 lines 51-66, column 4 lines 1-16, column 8 lines 31-66, column 9 

lines 1-4, column 15 lines 11-66, column 16 lines 1-5); 

"a canonical count of a number of the object within a TCP/IP 

connection," (column 2 lines 15-27); 

"a content type of the object," (column 11 lines 48-66, Fig. 7B, Fig. 6); 

"an encoding that was used on the object," (column 19 lines 1-14, column 19 lines 26- 

37); 

"a size of the object," (column 8 lines 40-52); 

"a timestamp indicating when the capture system captured the 

object," (column 14 lines 30-46); 
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"a user who requested capture of the object," (column 12 lines 10-23, column 18 lines 

37-66); 

"a capture rule that directed capture of the object," (column 19 lines 1-37); 
"a hash signature of the object," (pages 2-5 sections 2-2.3); 
"a hash signature of the object," (pages 2-5 sections 2-2.3); and 
"a hash signature of the tag, (pages 2-5 sections 2-2.3), 

the tag being stored to allow subsequent searching for the tag based on one or more of 
the fields, (Figures 7A, 7B), 

wherein the signatures are evaluated to verify if they have been modified since original 
storage," (pages 2-5 sections 2-2.3). 

However, Preneel teaches hash function of the object and hash function of the 
tag to generate tag signature and verify if they have been modified (pages 2-5 sections 
2-2.3). Thus, it would have been obvious to one of ordinary skill in the art at the time of 
the invention was made to provide the data structure of Gai with the teaching of Preneel 
by using the hash function to solve the security problems in telecommunication and 
computer networks. 

Conclusion 

9. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 
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Contact Information 

10. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Kim T. Nguyen whose telephone number is (571)270- 
1757. The examiner can normally be reached on 7:30AM to 5:00PM East. Alt Friday 
off. 

If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, Don Wong can be reached on 571-272-1834. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 

Information regarding the status of an application may be obtained from 
the Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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Examiner, Art Unit 2163 
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